about NLANR

Shaofu_Wang · June 5, 2003, 10:19am

> I used the trace file from NLANR to test Bro. But Bro does nothing

but

> report
> bad checksum.

That's because those traces don't have any packet contents.

But the checksum function seems do not check the checksum of contents, just the packet head.

> What should I do , to make trace file available to Bro?

You should first consider whether it will be useful to analyze them with
Bro, given a lack of contents.

I see the stepping.bro is using the ON/OFF algorithm, when report "time".
I have a novel way to detect connection pair! And I want to compare my algorithm with the ON/OFF.

If so, then "redef ignore_checksums = T" will turn off the checksum tests.

Have nice day!
-- cloud

David_Moore · June 5, 2003, 4:18pm

the nlanr traces anonymize the ip addresses but do not update the
ip header checksum to reflect that change, so the checksum check will
fail in general.

-- david moore

Topic		Replies	Views
about NLANR Zeek	1	69	May 6, 2022
about NLANR Zeek	1	105	May 6, 2022
Urgent, plz Help me Zeek	2	70	May 6, 2022
can't get the http analyzer to print anything Zeek	3	84	May 6, 2022
False positive Zeek	1	65	May 6, 2022

about NLANR

Related topics